Initially SIEM (Security Information and Event Management) tools were designed for threat management against an external threat environment against network and systems through real-time analysis of events to support incident response (Security Event Management). There were also vendors that provided long-term storage, historical analysis and trending against a large database of logs to support forensic activities (Security Information Management). Definition from TechBudda in 2007.
Security Information and Event Management solutions or SIEM solutions provide real-time analysis of security alerts generated by network hardware and applications so that companies can respond to attacks faster and organize the big amount of log data. It is essentially nothing more than a management layer above your existing systems and security controls that connects and unifies the information contained in your existing systems allowing them to be analyzed and cross-referenced from a single interface. SIEM has, the more effective it will be in helping you make effective detections, analyses, and responses in your security operations.
AlienVault has released a great resource explaining what SIEM is for beginners.
SIEM systems collect logs and other security-related documentation for analysis since most SIEM systems deploy multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment and even specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.